Sie sind auf Seite 1von 12

Passive Aggression- A new Paradigm for Information Gathering (IG)

The devastating effects of the silent attacker


Johnny Long
Johnny@ihackstuff.com

Summary: Passive techniques have been used for years in diagnostic capacities, and more
recently in Intrusion detection capacities. For an almost equal number of years hackers have used
extremely basic sniffing techniques to leverage attacks deeper and deeper into their target's
networks. Sophisticated attackers and well-funded agencies will certainly begin to leverage more
and more use out of well-crafted, well-executed passive attacks. This presentation will demonstrate
the evolution of passive attack techniques, and speculate as to the future use of these techniques. In
addition, the concept of a “global information black market” will be introduced as the culmination
of a distributed passive architecture.

Presentation Style: Network traffic snapshots will be provided of all examples and data stream
passes in slide format. Slides will show both a high level view of network traffic, as well as a very
high-resolution drilldown of the fields the example focuses on. Traffic capture and presentation will
employ tools such as Snort, tcpdump and ethereal. Once individual information “Segments” are
collected, the sum total of all the information will be presented at the end of each section.

Intended audience: In general, most Blackhat attendees will have an understanding of basic
sniffing techniques. This knowledge will serve as an excellent bridge to the newer concepts and
more technical aspects of this presentation. Attendees involved in both the attack and defense
realms of Information Security will be illuminated as to the global implications of advanced IG
techniques, which may not easily blocked.

Presenter BIO: Johnny Long has been involved with “both sides of the security fence” for many
years. As a professional network security assessment engineer, Mr. Long has developed and
performed network and physical security assessments for both the Department of Defense and the
commercial sector. As an instructor, Mr. Long has developed and instructed technical security
courses for the Air Force Information Warfare Center (AFIWC), the U.S. Army 301st Military
Intelligence Battalion (301st MI), the Department of Justice, the National Security Agency, NASA,
SANS and several commercial clients. Mr. Long’s involvement in attack, defense and forensic
analysis for multinational information security incidents affords him a unique perspective on the
industry. A natural “people person”, Mr. Long has received high reviews for both his presentation
skills, as well as his ability to relate very technical material in a way that is easy to understand.

Note: This document is DRAFT, and will be fleshed out much more for the conference.

I. The legacy approach to passive IG


In the legacy model of IG, small amounts of information are extracted from an extremely large
stream of data. This model suggests a quick and dirty attacker methodology. Attackers employing
this method of IG are generally interested in a “wildfire” attack approach. This is to say that the
attacker will attack hard and fast, will spread fairly quickly, and will generally create a noticeable
disturbance. This method generally assumes direct access to a “juicy” data stream that contains
valuable data. In most cases, the attacker is positioned at the source or destination of the stream or
somewhere in between.

A. Authentication extraction
Authentication extraction, or “password sniffing” is among the most basic of the
passive-aggressive techniques. Several publicly available tools enable an attacker to
extract the authentication information from a network data stream. In many cases,
the authentication information travels in the clear. In more modern examples, the
data is encoded or encrypted, adding a second step to the process of extraction. The
most commonly captured data comes from the following streams:

POP
FTP
TELNET
RLOGIN
RSH
REXEC
SNMP
HTTP Basic AUTH
NETBIOS plaintext
NETBeui encrypted
Novell encrypted

B. Application data extraction


An attacker that is employing crude sniffing techniques may also monitor the traffic generated by
various applications. By monitoring these streams an attacker can begin to profile the users of the
target network.

Application monitored Profile data extracted about the users


WWW (HTTP) “Home” pages, bookmarked pages, frequented sites
IRC Personality, on-line associates
SMTP Personality, personal details, potential user IDs
ICQ Personality, on-line associates
Common email destinations On-line associates, family, friends
Common email sources What email traffic is “expected” for any user (Trojans)
Email content dirty word searching Users which are involved in certain activities (security,
administration, etc)
II. The aggressive approach to passive IG
In the new model of aggressive passive monitoring, large amounts of information are extracted
from a relatively small stream of data. This model suggests a surgical, meticulous, very careful
attacker methodology. Attackers employing this method of IG are generally interested in hardened,
well-defined targets and focus on very specific objectives. An attacker following this methodology
will spread relatively slowly from one phase to the next and will keep a very low level of
illumination. Unlike legacy techniques, a modern attacker can skillfully leverage their passive
attacks, and may not require direct access to a production data stream. Instead, these attackers may
employ various methods to “draw” a useful data stream to his virtual presence on the network.

Terminology:
An attacker with access to a production data stream will capture an “inline stream”
An inline stream that captures useful, normal network activity is termed an “inline production
stream.”
If an attacker creates, lures, or otherwise obtains a useful data stream from outside the target
network, that data stream is termed a “remote stream.”

To understand how an advanced IG specialist will operate it is important to first understand exactly
how much data can be extracted from a small piece of data. As an example, we will take a look at a
single TCP packet to get an idea of the information that can be extrapolated from this single packet.

(Several slides and zooms through a single TCP packet, touching briefly on the various sections
that will be mentioned here)

To adequately describe the details an expert will pull from a data stream, a production, inline
stream will be assessed using a variety of different passes. Although the various passes could
certainly be performed in any order, analyzing the stream in passes clarifies the presence of
information by type. The example stream was extracted from a production machine located within
a DMZ, nestled between a pair firewalls garnished with a matching pair of Intrusion Detection
Systems (IDS). The attacker surgically and slowly attacked the target machine, avoiding the IDS
system. The attacker then compromised a machine, and set it into passive mode.

A. Log reduction
Due to the size of the data collected, and the ultimate purpose of the stream interpretation, log
reduction schemes may be employed. For example, if the attacker is only interested in a passive
mapping exercise, any unused information in the data portion of the stream may be removed. If the
attacker is interested in more information, reduction may be skipped, and standard compression
techniques opted for.

1. Tokenize connections
A token is simply a representation of a large amount of data. By creating “element” tokens from
pieces of the data stream, the attacker can easily compress data for transit. This is a common
technique employed by modern IDS systems. For example, several pieces of the TCP session may
be reduced:

Data Packets Token


SYN,SYN|ACK,ACK “HANDSHAKE”
ACK|PSH “DATA”
FIN|ACK “TEARDOWN”
RST “RESET”
SYN (port n), SYN (port+1)…SYN (port+n) “SYNSCAN__IP_1-N”

1. Reducing tokens
Once tokens are created, the “element” tokens are combined and further reduced to create “object”
tokens which describe the entity.

Element Tokens Object Token


HANDSHAKE, DATA, TEARDOWN “NORMALSESSION_SRCIP_DSTIP”
HANDSHAKE, DATA, RESET “RESETSESSION_SRCIP_DSTIP”

B. Log delivery techniques

Once an adequate data stream is collected, an advanced attacker’s tool will use detected protocol
distributions to determine the protocol to offload the data with. Common traffic may include port
25 (SMTP) port 80 (HTTP) or port 21 (FTP). The attacker will certainly embed various offload
techniques to allow for varying terrains.

Delivery Mechanism Retrieval Mechanism


PGP encrypted onion relay SMTP mail Sniffed anonymous mail relay loop
(demonstrated)
Encoded HTTP post through dejanews to NNTP Proxy relayed web retrieval against any NNTP
group server
Encrypted FTP “warez site” upload as .zip file Proxy relayed FTP download

C. Parsing the stream (Pass #1): Network Mapping


Once the data stream is offloaded, parsing of the stream begins.
Passive monitoring provides the information necessary to construct a detailed network map. These
highly detailed network views provide insight into single points of failure (denial of service
targets), high profile targets, LAN and WAN interconnection points and network support
application services. In order to create a map of this much detail, a great deal of information must
be gathered such as active hosts and ports, IP and MAC addresses, and active network services and
protocols. Several tools exist to perform these tests actively. However, many of the techniques can
be performed in a completely passive fashion. Our first pass extracts the data necessary to create a
basic network map.

Needed Information Passive method of capture


IP addresses of active hosts Log any host that elicits network traffic
Active ports Log each socket that elicits a TCP SYN|ACK packet, infer services based on op
ports.
MAC addresses Record the IP-MAC combinations of all active boxes on a subnet. By parsing th
various network information can be determined such as the existence of routers
proxy servers.
Active protocols By parsing the various protocols captured above the lowest level frame (Etherne
example) the attacker can modify future capture runs to parse those protocols.
Location of key servers Several severs may play key roles on the network. For example, examination of
payloads can easily reveal the presence DHCP, DNS, WINS or even third-party
authentication servers.
Network status messages ICMP messages provide several types of information; including network inform
such as blocked networks, blocked hosts and blocked ports.
Location of network consoles SNMP COIs generally provide access to SNMP devices. With proper configura
however, the SNMP device will not elicit responses to any address that requests
An address that successfully receives SNMP data from network devices is gener
an SNMP monitoring station. These devices are generally higher profile, or exis
higher profile subnets.

D. Parsing the stream Pass #2: Application Thumbprinting


Application thumbprinting involves using data found in various application streams to determine
the type and version of the listening application. By focusing on the application part of our network
stream, we can more than infer the services running:

Application Information gathered


HTTP Server headers HTTP server application and version
SMTP Banners SMTP server application and version
FTP Banners FTP server application and version
SSH Server hails SSH server protocol version
NETBEUI code collection Netbeui services running

E. Parsing the stream Pass #3: Operating System Thumbprinting


OS thumbprinting involves determining the platform of the target machine. This technique is
commonly employed by such tools as commercial vulnerability scanners, port scanning products
like nmap, and OS thumbprinting tools such as Queso. By using this exact technique in a passive
capacity, similar results can be optained. Various factors aid in this determination, including:
TCP Window size The TCP windows size can be looked up in a
public list (nmap-os-fingerprints) or a more
robust private list.
SNMP System variable Dead giveaway as to the OS of the target.
TELNET banner tokens Dead giveaway as to the OS of the target.
FTP banner tokens Dead giveaway as to the OS of the target.
Behavioral responses to stealth scanning Machines respond differently to various
types of stealth scans.
Hardware MAC prefix lookup By parsing the first three bytes of the MAC
address, the machine’s OS can be
determined.

F. Parsing the stream Pass #4: Determining Firewall/Filter Access


Control Lists
Firewall and packet filter rule sets are generally based on one of two factors: address and port rules,
protocol or service rules, or a combination of the two. By focusing on the appropriate area of the
collected data stream, these rule sets can be inferred.

Data Information gleaned


all inbound/outbound connections All inbound and outbound connections indicate the
presence of an allow rule in the firewall.
Local/Remote IP and port recording By recording the addresses and ports of all successful
sessions between devices, an Access Control List
(ACL) can be drafted. Armed with an ACL, an attacker
gains detailed knowledge of WAN trusts.
Protocol distribution In the presence of a stateful firewall, collection of
active protocols, and subsequent tokenizing of the
collected protocol’s traffic provides the information
necessary to subvert the firewall. If the protocol is
encrypted or unknown, an attacker can infer a high-
profile target list.

G. Parsing the stream Pass #5: Host-based "personal ACLs"


Personal ACLs may take the form of host-based trust relationships or even personal firewalls.
Intelligent passive monitoring provides insight into these personal ACL rule-sets. By monitoring
the addresses of all station-to-station connects, the attacker can determine:

Information How to get it


R* service trusts By monitoring successful r* (rlogin, rsh, rcp) connections between
boxes, the list of trusted boxes can be enumerated.
NFS file sharing "trusts" If the NFS server restricts NFS mounts by address or users group,
recording of successful NFS sessions provides insight into those
restrictions.
TCP Wrappers (tcpd) ACLs TCP Wrappers restricts connections to UNIX network service by IP
address. By recording successful and unsuccessful connects to TCP
wrapped machines, parts or all of the machine’s allow and deny
tables can be determined.
Windows workstation share Windows workstations can restrict file shares to IP addresses.
connects Successful connects enumerate the trust list.
Windows NT Admin user By monitoring Administrative connections to NT servers, an
connects administrator’s personal workstation can be determined. These serve
as higher profile targets.

H. Parsing the stream Pass #6: “Personal firewall” ACL


determination
“Personal Firewall” products provide some level of host-based protection against unauthorized
access. These products are very similar to firewall products in their use of address, port, or protocol
ACLs. By sniffing the source and destination addresses and protocols of a protected machine, an
accepted usage policy can be determined. By following these policies strictly, an intelligent attack
can be mounted. For example, if it is known that a target is running a product like “Black Ice
Defender”, monitoring will show what hosts, ports and protocols the user connects to on a regular
basis. Any future attacks will be mounted as spoofed from these addresses.

I. Parsing the stream Pass #7: Watch the watchers watching the
watcher!?!
If the attacker has access to an inline production stream, it is possible to determine various security
and response mechanisms that may be in place:

Information What it could mean


DNS lookups performed on non-traffic boxes A sniffing box performing name queries
SRC MAC addresses of all sixes Anti-sniff running on SRC
DST address responds to MAC of all sixes DST address is sniffing
Invalid SRC MAC address w/valid IP Anti-sniff running on SRC
DST responds to invalid MAC w/valid IP DST box is sniffing
SRC MAC of FF:00:00:00:00:00 Anti-sniff running on SRC
Encrypted stream Higher profile target
REALSECURE NETBIOS tag RealSecure Service Running
Encrypted traffic coordinated to attacks IDS system running
Whacked legit/attack traffic ratio Honeypot
J. Parsing the stream Pass #8: Monitoring other attackers
An inline production stream will eventually show signs of other attackers. By monitoring this data,
an advanced attacker can determine several things.

Unsuccessful attacks provide a list of which exploits not to try. These unsuccessful attacks can also
be analyzed to determine syntactical errors, which could be corrected by the attacker.

Successful attacks provide a free roadmap of vulnerabilities. The attacker can simply follow in the
footsteps of the monitored intruder.

Instead of following the intruder, an advanced attacker may simply continue to monitor the
offloaded stream, gathering all the data the intruder accessed. Typically, password files and
configuration files will be accessed during the intruders session. This data can be used without the
advanced attacker logging in.

K. Parsing the stream Pass #9: Dealing with crypto


Once the data stream has been fully parsed, it becomes readily apparent that certain pieces of the
data stream are unreadable. This may be due to encryption, or simply a misunderstanding of the
syntactical structure of the data. In the case of syntactical problems, statistical analysis attacks will
prove to e the most fruitful. Encryption, on the other hand presents a problem for the IG process. In
general, it is safe to leave most modern crypto to a true cypherpunk. The IG expert will certainly
not be a master of all trades. There remain, however, several possibilities beyond analysis of the
crypto itself.

Out-of band IG: Once an encrypted stream is parsed and statistical analysis fails, the focus will
shift to out-of-band data IG. As en example, a typical encryption stream will be point to point;
secure shell terminal connections are a good example or this. When a security-conscious user uses
SSH to connect to a remote machine, only the terminal connection itself is encrypted (as well as
user-defined forwarded ports). The TCP/IP headers are not encrypted, allowing thumbprinting
analysis mentioned above. Support service calls are not encrypted. This will include DNS, WINS,
ARP, and ICMP traffic. If the SSH server requires these services, the calls will be made in the
clear, and should appear in the stream (depending on your proximity to the machines). If the user
executes a command across the encrypted pipe that requires name resolution, the stream shows that
information. This presents a secondary method of attacking the encrypted session: attacking or
spoofing the DNS server or other trusted service.

Assumed trusts: Several popular crypto solutions require time stamp and correction services. In
general, time references become a part of the crypto equation. Many vendors utilize the standard
Network Time Protocol (NTP). These requests and responses happen in the clear. As part of the IG
process, these and similar data sources’ data streams should be parsed. Gaining access to a trusted
service or host may leverage compromise of the trusting host, or a denial of service to the
encryption technique through spoofed skewed time responses.
Target priority advancement: Once an encrypted stream is discovered, the source and destination of
the encrypted stream become higher-profile targets. All other traffic from these two boxes will be
examined more carefully.

II. A new paradigm: The art of remote passive IG


Passive monitoring, even the detailed aggressive species listed above, is certainly not a new
concept. Provided with access to an inline production data stream, a nearly unlimited amount of
information can be gleaned over time. However, a new, much more insidious method of passive-
aggressive information gathering is beginning to see the light of day. This method does not require
the attacker to first infiltrate the target network. Instead, the attacker employs various methods to
draw a data stream to himself. Then, armed with even a very small data stream, the attacker extracts
as large amount of information about the target, catalogs that data, and continues until an attacker
picture develops.

A. Open Source IG
Open source information gathering involves searching public resources for information about a
target. Online resources can be queried through sites like samspade.org, or queried directly through
proxy chaining. Sources may include any of the following:

Service What Information can be gathered


Whois records Generally contain POC’s IP address blocks owned,
registration date, DNS servers, phone numbers, street
addresses
DNS records Contain hostnames (reverse DNS scans), key server
locations (SMTP, WWW, FTP)
Web pages Plethora of information! SMTP user names, web
development application info, and many more obvious
things…
Technical want ads: Newspaper, Online These documents generally contain information about the
target company such as operating system types and
versions, application types and versions, security
products in use
Corporate profiles Corporate profiles generally include information about
corporate partners, illuminating alternate points of access

B. Trojan/Viral strains of passive mappers


Passive mapping programs put a relatively new twist on standard Trojan horses and viral strains:
that of a malicious program designed to gather information about a target. These second and third
generation viruses have found a natural home on Information Warfare (IW) fronts and are generally
very sophisticated, self-aware programs designed to infiltrate networks and gather information,
which is subsequently forward to an offline cache point for later retrieval.
More common, however, are trojan horse programs, including Macro Viruses. These programs are
generally embedded in standard Office programs and delivered through standard email channels.
Recent high-publicity outbreaks include the Melissa Virus and Bubbleboy.

Microsoft has recently “locked down” its Office suite of applications by disabling automatic macro
launch unless authorized by the user. Unfortunately, MS Access VBA was not afforded the same
protection.

(See the detailed write-up of the Trojan VBA code attached. This will be released to bugtraq
shortly)

C. Luring data streams


Another method of passive mapping involves “luring” users outside their safety zone. The Internet
provides a perfect enticement for Intranet users stepping out of their network “strongholds”.
Whether the language of choice be Java, JavaScript, VBScript, Postscript, or even Flash animation,
advanced IG experts are using the power of portable code and malicious applications to gather
information about their targets.

(Several methods will be demonstrated here, including a Java listener, a JavaScript info scoop, and
perhaps a Flash file pop.)

D. Information “Black Markets”

Software pirates currently employ this technique to acquire a larger personal library of pirated
software. A typical software pirate may gather software he has no intent of using. This software
simply serves as currency on the “pirate market” for the barter of more software. Eventually,
pirates actually get the software they are interested in through the process of bartering against the
market.

Applying this methodology to the passive IG scenario, several attackers monitor any streams they
have access to, including their local Internet connections. Like software pirates collecting software,
the collected data of an IG “player” may not be of any interest whatsoever to the player that collects
it. Instead, the data is used to barter for more relevant data from other players. These players could
even collect data from their own Internet connections including ISP dial-ups/shell accounts, ISDN
connections, cable modem segments and DSL segments. An expert in IG will find all sorts of
relevant data from their own local data streams:

Local data stream information


jump boxes
attack sources
attack targets
MAC and IP lists for future spoofing attempts
Streams of employees connecting to businesses
Once an attacker has collected a data stream, the stream can be tagged and distributed in a
community environment. A very recent example of this technique would be the “napster” tool,
which allows mp3 enthusiasts to share files in a community environment. Individual users connect
to a central server that catalogs the mp3 files in “collection” directories. The catalog of mp3 files is
added to a master database, which lists the files owned by all the online users. Users are free to
download files from any other “napster” user’s mp3 collection. This allows free and open exchange
of files in a community environment.

An interesting twist to the use of this product is to exchange interesting data streams using the
existing tool. This can be done in a few ways: by transferring non-mp3 files, or by using
steganography to embed the data into actual mp3 files. The naming conventions of the mp3 files
could adequately describe the source and destination addresses of all the involved hosts.

III.“Almost Passive”: The latest in stealth IG technology


Stealth has taken on a new meaning in recent years. This section will discuss the latest advances in
stealth technology including the latest stealth scanning packet combos, reflective scanning and
stealth host detection.

IV. How important is effective IG anyway?


A. A personal IG study
This section will detail the parameters and outcome of a study performed by the presenter.

Parameters of the study:


All subjects were professional network security engineers. (hackers)
Subjects were presented with a locked (firewall, etc) CD container. (Secured host/network)
All subjects were requested to retrieve CDs from the locked container. (hack host/network)
Half of the subjects were required to write a methodology for accessing the CDs within the
container before touching the container. (perform passive IG first)
Half of the subjects were allowed to touch the container at any time and were not required to write
a methodology. (no passive IG, all active)
Once (if) the CDs were successfully retrieved, the subjects were all requested to put the container
back in exactly the same state as it was found. (covering tracks)

1. Results of the study


All subjects successfully accessed the CDs
Nearly all the subjects who performed passive IG were able to successfully and accurately replace
all the components (cover tracks)
Of the subjects who performed no passive IG, very few were able to successfully and accurately
replace all the components (cover tracks)
Nearly every subject approached the problem differently, yet achieved similar results.
Less than half of the subjects focused on the locking mechanism itself.

2. Equating the study to a network intrusion

V. Recent coordinated examples of passive aggression


This section will discuss various obvious examples of passive-aggressive tactics.

A. Project P415 (Echelon)

UKUSA (UK-USA) agreement


Cheltenham
Upgrading the system: Zircon sats

B. System for Operational-Investigative Activities (SORM)

ISP-installed black-box wired to FSB (ex-KGB) HQ allow agencies to monitor all Internet traffic:
Tax police
Interior Ministry police
Kremlin
Parliament Security Guards
Presidential Security Guards
Border Patrol
Customs
No warrants needed

VI. An Interactive example of Passive IG to subvert a network


This interactive demonstration will tie together all the aspects of the presentation into an actual, live
attack incorporating the concepts discussed above. This presentation will include resultant network
maps, vulnerability data and packet-level view of all relevant topics. The audience will be called on
to pull the various information elements from the data streams, and put the information together
into an attack map of the target network.

Das könnte Ihnen auch gefallen